Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild

Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
Add recipe for adding custom server
2025-07-23 19:24:40 +00:00 · 2025-01-16 16:01:04 +00:00 · 2024-11-20 17:07:11 +01:00 · 2024-09-10 18:11:40 +02:00 · 2024-07-17 21:12:32 +00:00 · 2024-01-24 09:39:09 +00:00
4 changed files with 101 additions and 2 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.17-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
 * Thu Jun 15 2023 Todd Zullinger <tmz@pobox.com> - 0.17-11
 - Remove execute bit on ssh_config.d snippet

--- a/dnssec-trigger-0.17-openssl-3.2.patch
+++ b/dnssec-trigger-0.17-openssl-3.2.patch
@ -0,0 +1,34 @@
+From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 10 Sep 2024 16:22:07 +0200
+Subject: [PATCH] Mark explicitly server cert with CA flag
+
+Since OpenSSL 3.2 it did not connect from control to server cert. Create
+server with indication is it CA.
+
+Also use clientAuth trust for CA cert. That allows control cert to be
+used for client authentication.
+---
+ dnssec-trigger-control-setup.sh.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
+index 7cc305a..eede665 100644
+--- a/dnssec-trigger-control-setup.sh.in
+++ b/dnssec-trigger-control-setup.sh.in
+@@ -200,9 +200,9 @@ EOF
+ test -f request.cfg || error "could not create request.cfg"
+ 
+ echo "create $SVR_BASE.pem (self signed certificate)"
+-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+-# create trusted usage pem
+-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+# create trusted usage pem for CA, what are signed certs allowed to do?
+openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
+ 
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
+-- 
+2.46.0
+
--- a/dnssec-trigger-0.17-server-recipe.patch
+++ b/dnssec-trigger-0.17-server-recipe.patch
@ -0,0 +1,59 @@
+From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 20 Nov 2024 16:58:48 +0100
+Subject: [PATCH] Add recipe for adding own server
+
+Until someone adds nice support for using just CA bundle and server
+name, allow specification by fingerprint obtained manually. Do not rely
+only on server provided by upstream.
+---
+ dnssec.conf     | 4 ++--
+ example.conf.in | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.conf b/dnssec.conf
+index bf896d3..4726ca1 100644
+--- a/dnssec.conf
+++ b/dnssec.conf
+@@ -38,7 +38,7 @@
+ #
+ #  - See also security notes on the `add_wifi_provided_zones` option.
+ #
+-# validate_connection_provided_zones=yes
+# validate_connection_provided_zones=no
+ #
+ #  - Connection provided zones will be configured in Unbound as secure forward
+ #    zones, validated using DNSSEC.
+@@ -63,7 +63,7 @@
+ #    Turning this option off has security implications, See the security
+ #    notice above.
+ #
+-validate_connection_provided_zones=yes
+validate_connection_provided_zones=no
+ 
+ # add_wifi_provided_zones:
+ # ------------------------
+diff --git a/example.conf.in b/example.conf.in
+index dafd35d..f7e8a54 100644
+--- a/example.conf.in
+++ b/example.conf.in
+@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
+ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ 
+# How to add your own record:
+# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
+# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
+# Append returned sha256 Fingerprint after ssl443: IP-address section.
+
+ # Use VPN servers for all traffic
+ # use-vpn-forwarders: no
+ 
+@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
+ 
+ # Add domains provided by VPN connections into Unbound forward zones
+ # add-wifi-provided-zones: no
+-
+-- 
+2.47.0
+
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@ -33,6 +33,9 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
 Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
+Patch7: dnssec-trigger-0.17-openssl-3.2.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/15
+Patch8: dnssec-trigger-0.17-server-recipe.patch

 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22
@ -117,9 +120,9 @@ sed -i "s/validate_connection_provided_zones=yes/validate_connection_provided_zo

 %make_build

-%autopatch -p1 -m 2 -M 2
+%autopatch -p1 2
 cp -p example.conf dnssec-trigger-workstation.conf
-%autopatch -p1 -m 1 -M 1
+%autopatch -p1 1


 %install
Author	SHA1	Message	Date
Fedora Release Engineering	559a9eaee1	Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild	2025-07-23 19:24:40 +00:00
Fedora Release Engineering	6a978fe44e	Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild	2025-01-16 16:01:04 +00:00
Petr Menšík	0c89edf730	Add recipe for adding custom server Related: RHEL-6597	2024-11-20 17:07:11 +01:00
Petr Menšík	b0889c46e9	Mark explicitly server cert with CA flag Since OpenSSL 3.2 it did not connect from control to server cert. Create server with indication is it CA. Also use clientAuth trust for CA cert. That allows control cert to be used for client authentication. Resolves: rhbz#2310947	2024-09-10 18:11:40 +02:00
Fedora Release Engineering	52d732d58d	Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild	2024-07-17 21:12:32 +00:00
Fedora Release Engineering	848c0c938a	Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild	2024-01-24 09:39:09 +00:00
Fedora Release Engineering	752566b521	Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild	2024-01-19 17:22:42 +00:00
Petr Menšík	428487f73d	fixup! Reuse common parts in test [skip changelog]	2023-07-25 20:52:31 +02:00
Petr Menšík	0e9e73b7fc	fixup! Include basic test for dnssec-trigger [skip changelog]	2023-07-25 19:20:38 +02:00
Petr Menšík	581364d032	Minimize changes to default config Use built-in defaults modified for Fedora instead.	2023-07-25 18:59:52 +02:00
Petr Menšík	0c43f2ef12	Do not require whole systemd Systemd is not strictly required. Ensure just macros for its building are present, but do not require whole systemd for building.	2023-07-25 18:59:52 +02:00
Petr Menšík	97da47c209	Always use xdg-open as login tool Do not rely on autodetection at build-time. Instead set explicitly default tool.	2023-07-25 18:59:52 +02:00
Petr Menšík	c3df26f3bd	Modify default configuration just with few changes Since we no longer provide special servers, use just modification to upstream example.conf to create default and workstation variants of configuration files.	2023-07-25 17:51:55 +02:00
Petr Menšík	8e10af3061	Reuse common parts in test [skip changelog]	2023-07-25 13:43:49 +02:00
Petr Menšík	3237bd51fd	Fix error in HTTP and HTTPS workaround modes	2023-07-25 12:38:21 +02:00
Petr Menšík	5cfc17cd87	Make test_http and test_ssl working again Correct configuration were not allowed into unbound by error, which were already fixed upstream. Backport the fix too.	2023-07-25 12:32:56 +02:00
Petr Menšík	f2afacc02b	Include basic test for dnssec-trigger Should ensure fallbacks provided in configuration are working. Actually discovered regression in our version. [skip changelog]	2023-07-25 12:32:40 +02:00
Petr Menšík	ab9e2f0246	Update upstream servers to zus.nlnetlabs.nl. Upstream servers no longer have the original IP addresses or that hash. Fix addresses to working set actually instead of uncommenting the very old set. The set were changed in 2014 by upstream commit bafdcd5.	2023-07-25 10:52:36 +02:00
Petr Menšík	b496e2cb00	Remove Paul's servers They seem to be offline as well.	2023-07-24 17:14:50 +02:00
Petr Menšík	afbbb0cb5d	Modernize spec a bit, use SPDX licenses	2023-07-24 17:07:23 +02:00
Petr Menšík	6625e05a2b	Convert to %autorelease and %autochangelog [skip changelog]	2023-07-24 16:20:41 +02:00
Petr Menšík	dd2de13ba0	Remove fedora specific servers These servers had not been actively maintained for years. Because we even haven't found some of them had too strict firewall. Direct few users that need them to upstream provided servers.	2023-07-24 16:18:20 +02:00
Fedora Release Engineering	ce267980ac	Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>	2023-07-19 17:41:57 +00:00